I have an "upload_photo.php" script that allows Users to add a "Photo Label" below the Photo they are uploading.

This gets displayed using the TITLE attribute in the IMG tag.

Is there any reason why I would want to restrict what characters can go in the "Photo Label"?

Not sure if this is a possible "Attack Vector" or not?

Thanks,

Debbie

dklynn
—
2012-06-09T10:20:06Z —
#2

DD,

Why ask when you already know the answer to that?

Of course you've heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I'd be picker than that but it's a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).

Regards,

DK

ScallioXTX
—
2012-06-09T10:48:08Z —
#3

Also, as you already know apply, htmlentities() to the title when echo'ing to prevent XSS.

DoubleDee
—
2012-06-09T16:15:03Z —
#4

dklynn said:

DD,

Why ask when you already know the answer to that?

If I knew the answers I wouldn't be wasting my time here... :rolleyes:

Of course you've heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I'd be picker than that but it's a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).

Regards,

DK

I don't understand what I'm supposed to do with mysqli_real_escape_string....

Debbie

DoubleDee
—
2012-06-09T16:15:46Z —
#5

ScallioXTX said:

Also, as you already know apply, htmlentities() to the title when echo'ing to prevent XSS.